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Abstract. We prove that if + ax" permutes the prime field Fp, where 
m > n > and o £ F*, then gcd(m — n,p — 1) > ^/p ~ 1. Conversely, we 
prove that if g > 4 and m > n > are fixed and satisfy gcd(m — n, q — 1) > 
2g(log log 5)/ log 5, then there exist permutation binomials over ¥q of the form 
+ ax" if and only if gcd{m, n, g — 1) = 1. 



1. Introduction 

A polynomial over a finite field is called a permutation polynomial if it permutes 
the elements of the field. These polynomials first arose in work of Betti [I] and 
Hermite [lOj as a way to represent permutations. A general theory was developed 
by Hermite |10j and Dickson [6], with many subsequent developments by Carlitz 
and others. The simplest class of nonconstant polynomials are the monomials 
x"^ with m > 0, and one easily checks that permutes if and only if m is 
coprime to q—1. However, already for binomials the situation becomes much more 
mysterious. Some examples occurred in Hermite's work [lOj . and Mathieu [17] 
showed that a;^ — ax permutes ¥q whenever a is not a (p* — l)-th power in F^; here 
p denotes the characteristic of Fg. 

A general nonexistence result was proved by Niederreiter and Robinson [20j and 
improved by Turnwald [28 : 

Theorem 1.1. // f{x) a;"' + ax" permutes ¥q, where m > n > and a € F*, 
then either q < (m — 2)^ + 4m — 4 or m — np^ . 

This result implies that, when q > m**, the only permutation binomials over F^ 
are the compositions of Mathieu's examples with permutation monomials. The key 
ingredient in the proof of Theorem 1 1.1 1 is Weil's lower bound ^33^ for the number of 
Fg-rational points on the curve (/(x) — f{y))/{x — y). 

We do not know whether Theorem 1 1 . II can be improved in general. However, for 
prime fields it was improved by Wan [30^ and Turnwald [28^ : by using ingredients 
from both of their proofs, one can show the following result, which improves both 
of their results: 

Theorem 1.2. If f{x) :~ a;™ + aa;" permutes the prime field ¥p, where m > n > 
and a G F*, then p — 1 < (m — 1) • max(n, gcd(m — n,p — 1)). 

The proofs of Wan and Turnwald rely on a trick due to Hermite [IQ] , which can 
be viewed as a character sum argument: they find an integer £ with < ^ < p — 1 
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such that f{xY mod {x^ — x) has degree p— 1. This imphcs that X^aeF fi'^Y 

so / does not permute Fp. We will prove the following stronger result by exhibiting 

two integers £, of which at least one must have the above property: 

Theorem 1.3. If f{x) := a;™ + ax"' permutes the prime field ¥p, where m > n > 
and a G F*, then gcd{m - n,p- 1) > ^Jp- (3/4) - (1/2) > ^ - 1. 

Writing g := gcd(m — n,p — 1), the conclusion of this result can be restated 
asp— 1 < (5 + l)-5, whereas the conclusion of Theorem 11.21 says that p — 1 < 
(m— 1) •max(n, (7). Thus, Theorem I 1 . 31 implies Theorem I 1 . 2 1 whenever g + 1 < m— 1, 
which always holds except in the special case that n = 1 and (m — 1) | {p — 1). 
We emphasize that Theorem ll.3l is qualitatively different from all previous results, 
since it gives a bound on p which depends only on gcd(m — n, p — 1), and not on 
the degree of /. 

Both Theorem 11.21 and Theorem 11.31 yield improvements to Weil's lower bound 
for the number of rational points on the curve {f{x) — f{y))/{x — y) appearing in the 
proof of Theorem 11.11 On a related note, for any polynomial / over Fp of degree 
in a certain range, Voloch |29j has improved Weil's upper bound for this same 
curve. In a different direction, for hyperelliptic curves over Fp one can improve 
both the upper and lower Weil bound when the genus is on the order of by 
using Stepanov's method [HI [H [H HI [ISl IS IM] ■ All of these improvements are 
specific to prime fields. It would be interesting to understand what are the types 
of curves for which one has such improvements to Weil's bounds. 

Theorem 1 1.31 is not true for nonprime fields; one counterexample is x^^ + 3x over 
F343, and we have found several infinite families of counterexamples, which we will 
describe in a forthcoming paper. 

Returning to prime fields, we suspect that Theorem 11.31 can be improved. We 
checked via computer that, for p < 10^, the hypotheses of Theorem 11.31 imply 
that gcd(m — n,p — 1) > p/(21ogp). It seems likely that this improved result 
remains true for larger p, but we do not know a proof. The best we can do is 
give a heuristic to the effect that 'at random' there would not be any permutation 
binomials + ax" over ¥q with gcd(m — n,q — 1) < g/(21ogg). Of course, our 
examples over nonprime fields show that this heuristic is not always correct, but 
those examples exhibit nonrandom features dependent on the subfield structure of 
¥q, which is in line with our 'at random' notion. 

Conversely, following earlier investigations of Hermite [TU] and Brioschi [21 [3] , 
Carlitz [4] studied permutation binomials of the form a;"(a;^^~^-'/^ + a). He showed 
that there are permutation binomials of this shape (with n — 1 and a £ ¥*) 
whenever q > 7. He proved a similar result for the form x{x'''^^^^^^ + a), and more 
generally in a paper with Wells [S] he proved 

Theorem 1.4. If d > and q = I (mod d), where q is sufficiently large compared 
to d, then for each rt > with gcd(n, q — 1) = 1 there exists a G F* such that 

The proof of this result is quite remarkable, as it uses the Weil lower bound on 
an auxiliary curve to prove the existence of permutation binomials. This (and a 
generalization in [32]) is the only known instance of the Weil bound being used 
to prove existence of permutation polynomials. We give a new proof of a refined 
version of Theorem 1 1.4) which allows us to estimate the number of such a's: 
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Theorem 1.5. Pick integers < n < m such that gcd(77i, n, q—l) = 1, and suppose 
g > 4. // gcd(m — n, g — 1) > 2q(loglog(3')/ logg, then there exists a S F* such that 
cc™ + ax" permutes ¥q . Further, letting T denote the number of values a € Fg for 
which X™ + ax" permutes ¥q, and putting r := {q — 1) / gcd{m — n,q — 1), we have 

izl^ _ _ 3,^ _ . , _Z_ , i±M±i , „ _ 3,^. 

We note that the condition gcd(TO, n, q — 1) — 1 is clearly necessary if x™ + ax" 
is to permute Fg. In some special weaker estimate for T was derived in a 

recent paper by Laigle-Chapuy [13| . via methods quite different from ours. 

We checked that, for each q < 10^, and for every m > n > satisfying 
gcd(m, n,q—l) = 1 and gcd(m — n, g — 1) > 2q/ log q, there exists a g F* such that 
x™ + ax" permutes F^. Combined with our previously mentioned computer data, 
this paints a rather clear picture of permutation binomials over prime fields. 

As a final remark, we note that several papers prove results about the special 
binomials + ax. In general, if a binomial has a term of degree coprime to q — 1, 
then one can convert it to this special form by composing with suitable permutation 
monomials and reducing mod (x^ —x). However, there are binomials for which this 
is impossible. For instance, f{x) := x^^ + 17x^ permutes Fiag, but the degrees of 
both terms of / have a common factor with 138. 

Throughout this paper, F, is the field of order q, and p is the characteristic of F,. 
In particular, p is always prime. We prove Theorem 11.31 in the next section. Then 
in Section [3] we prove Theorem II. 5[ and in the final section we give the heuristic 
argument mentioned above. In an appendix we include a proof of Theorem 11.21 

2. Nonexistence results 
In this section we prove Theorem 11.31 in the following form: 

Theorem 2.1. Suppose x"{x^ + a) permutes Fp, where n,k > and a £ ¥*. Then 

gcd{k,p-l) > Vp - (3/4) - (1/2) > Vp- 1. 
Our proof relies on Hermite's criterion [TUl [S]: 

Lemma 2.2. A polynomial f G ¥q[x] is a permutation polynomial if and only if 

(1) for each i with < i < g — 1, the reduction of f^ modulo x"^ — x has degree 
less than q — 1; and 

(2) / has precisely one root in ¥q. 

Proof of Theorem \2.1[ Pick j > such that jk = gcd(fc,p — 1) mod (p — 1) and 
gcd(j,p - 1) = 1; then x"{x'' + a) permutes Fp if and only if ^"^ (^x^'^'^^'^'P-^^ + a) 
permutes Fp, so we may assume that k divides p — 1- Suppose / := x"{x^ + a) 
permutes Fp, where k \ (p-l) and k < y/p - (3/4)-(l/2) (and n,k> and a G F*). 
Then fc^ + fc + 1 < p. Let r be the least integer such that r > {p — I — k)/k^. Then 
r < (p - 1 - fc) /fc^ + 1, so 

kr < (p- l)/fc- 1 + k^{k- 1)(1 - (p- l)/k)+p~ 1 < p - 1. 

Also the inequality fc^ + A; + 1 < p implies (p — 1 — k)/k'^ > 1, so r > 1. 

We will apply Hermite's criterion with exponent kr. To this end, we compute 

kr 

jkr ^ ^nkr^^k ^ ^^,fer ^ ^nkr ^ 

i=0 
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Write /'='■ = J2iLQb^x"''''^''\ where h = {''[)a'''-\ Since < fcr < p and p is 
prime, each bi is nonzero. Thus, the degrees of the terms of f''^ are 

nkr, nkr + k, nkr + 2k, . . . , nkr + fc^r. 

Since fc^r > p — I ~ k, the degrees include members of every residue class modulo 
p — 1 containing multiples of k. In particular, there is a term of degree divisible by 
p — 1; but, since < kr < p — 1, Hermite's criterion implies that /'^'" cannot have 
a unique term of degree divisible by p — 1, so there must be more than one such 
term. Thus, nkr = —E mod {p — 1) for some E with < E < k'^r — (p — 1). 
Likewise, the degrees of the terms of jHr-i) gj-^ 

nk{r - l),nk{r - 1) + fc, nk{r - 1) + 2fc, . . . , nk{r - 1) + fc^(r - 1). 

Since fc^(r — 1) < p — 1 — k, these degrees are all in distinct classes modulo p — 1, 
so by Hermite's criterion none of the degrees can be divisible by p — 1. Thus, 
nk{r — 1) = F mod {p — 1) for some F with k<F<p— l — k— k'^{r — 1). 
Now we have 

Eir — 1) = —nkr{r — 1) = —Fr mod (p — 1), 

so E{r — 1) + Fr is a multiple of p — 1. But 

< fcr < £;(r - 1) + Fr 

< k'^r{r — 1) — (j) — l)(r — 1) + (p — l)r — kr ~ k'^{r — l)r 
= 1 — fcr<p— 1, 

so E{r — 1) + Fr lies between consecutive multiples of p — 1, a contradiction. □ 

Remark 2.3. The above proof shows that, if gcd(fc,p — 1) < ^p — (3/4) — (1/2), 
then there exists i with < z < p ~ 1 for which the polynomial {x'^{x^ + a))* has a 
unique term of degree divisible by p— 1 , contradicting our hypothesis that x^{x^+ a) 
permutes Fp. As discussed in the introduction, we suspect that Theorem 12.11 can 
be improved substantially. However, improving our bound by more than a constant 
factor will require a new method: if gcd(fc,p— 1) > \/2p— (7/4) — (1/2), then there 
is no J > for which (x"(a;'^ + a))* has a unique term of degree divisible by p — 1. 

We now list some consequences of Theorem 12.11 

Corollary 2.4. If x^{x^ + a) permutes Fp, where n,k > and a E ¥*, then 
gcd(fc,p - 1) > 4. 

Proof. When p > 19, this is an immediate consequence of Theorem 12. II Otherwise, 
the result can be verified via computer. □ 

In case either (p— 1)/2 or (p— 1)/4 is prime, Corollarv l2.4l was conjectured in [15] . 
We proved this conjecture in our previous paper [16j . where moreover we proved 
that the hypotheses of Corollarv l2.4l implv gcd(fc,p— 1) ^ {2, 4} (without assuming 
primality of (p — l)/2 or (p — l)/4). Our proof in [16] did not rely on any computer 
calculations; instead we used repeated applications of Hermite's criterion in several 
different cases (depending on the class of p mod 16). By using a computer to verify 
small cases, we can go much further than Corollary 12.41 For instance: 
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Corollary 2.5. Suppose + a) permutes ¥p, where n,k > and a E ¥*. If 

gcd(fc,p- 1) = 5, then p^ 11. // gcd(fc,p - 1) = 6, then p (E {7,13,19,31}. If 
gcd{k,p — 1) — 7, then p = 29. //gcd(fc,p — 1) = 8, then p= 17. Conversely, each 
of these possibilities actually occurs for some n, k, a. 

There is no difficulty extending this to larger values of gcd{k,p — 1). 

3. Existence results 

In this section we estimate the number of permutation binomials of prescribed 
shapes. 

Theorem 3.1. Let n,k > be integers with gcd(n, k, q—1) = 1, and suppose g > 4. 
Ifgcd{k,q— 1) > 2(7(loglogq)/ logq, then there exists a E ¥* such that x'"'{x'' + a) 
permutes ¥q. Further, letting T denote the number of a E¥q for which x"(a;'^ + a) 
permutes ¥q, and writing r :— {q — 1)/ gctl{k,q — 1), we have 

^{q + l- Vq{r^^' - - + 2) - (r + l)r'-i) < T 

<^{q+l + V9(^'+' - 2r'- - r^-' + 2)) . 

Corollary 3.2. For fixed r, as g —> oo we have T ^ q(r\)/r^ . 

Note that Stirling's approximation says that rl/r^ is asymptotic to \/2Trr /e^ as 
r GO. 

We will prove Theorem l3.1l as a consequence of several lemmas, which we suspect 
will be useful in future work improving the bounds in Theorem l3.ll In these lemmas, 
fir denotes the set of r*^ roots of unity in F,, and Sym(/ir) denotes the set of 
permutations of fir- 

Lemma 3.3. Let k,n > be integers with k \ (q — 1) and gcd(n, fc) = 1, and put 
r := {q — l)/k. For a E ¥q, the polynomial f{x) := x"{x'^ + a) permutes ¥q if and 
only if there exists tt E Sym{fir) such that every ( E fir satisfies {C,+a)^ — 7r(C)/C"- 

Proof. For S E fik we have f{Sx) = S^f{x); since gcd(n, fc) = 1, it follows that the 
values of / on ¥q comprise all the fc**^ roots of the values of f{x)^ — x^'^(x^ -\- a)^ . 
Thus, / permutes Fg if and only if g{x) := a;"(x + a)'' permutes the set of k^^ 
powers in ¥q, or in other words g permutes fir- Writing tt for the map fir — s- F^ 
induced by g, the result follows. □ 

Next we restate Lemma 13.31 in terms of solutions to a system of nonlinear equa- 
tions over ¥q. In this statement, v : fj,r ¥* is a fixed map with the property that 
t^iC)'' — C for every ( E fir- 

Lemma 3.4. Let k,n,r be as in Lemma ] 3 -31 For a E ¥q, the polynomial f{x) := 
x'^{x^ _l_ pQj-fYiy^tgg Yq if and only if there exists tt E Sym(/ir) such that, for each 
C E fir, there is a solution E F* to the equation C + a = y^z^(7r(C)/C"). Moreover, 
for any fixed a E¥q, there is at most one such permutation tt. 

Proof. By Lemma 13.31 / permutes F^ if and only if there exists tt E Sym(/ir) such 
that (C, + = it{C,)/C,'^ for all C E fir. This equation shows that at most one 
TT corresponds to a given /. For fixed tt and C,, the equation is equivalent to the 
existence of y^ E F* such that ^ + a = ?/^j/(7r(C)/C")- □ 



6 



ARIANE M. MASUDA AND MICHAEL E. ZIEVE 



Let A be transcendental over ¥q, and for tt G Sym(/j,r) let F-^ — ¥q{{Y(^ : C, E fir}) 
where Y^i'{tt {(,)/(,'"') = C + ^- We will translate Lemma [33] into a statement about 
i^TT, which will enable us to apply Weil's bound on the number of degree-one places 
of a function field over a finite field. In order to make this translation, we need 
to know some basic facts about F^, which we record in the next lemma. In the 
remainder of this section we use various standard facts about algebraic function 
fields, for which a convenient reference is 251. 



Lemma 3.5. Let k, n, r be as in Lemma ] 3. 3[ Then ¥q is algebraically closed in F^^, 
and F.^/¥q{A) is Galois with group (Z/rZ)''. Moreover, the extension FTr/¥q{A) 
has ramification index r over A = oo and A e —fir, and is unramified over all 
other places of ¥q{A). The genus o/i<V is {r^~^^ — 2r^ — r''^^ + 2)/2. 

Proof. Let Ei^ be the field ¥q{Y^). Then EQ/¥q{A) is a degree-r Kummer extension 
which is totally ramified over A ^ oo and A ~ — and unramified over all other 
places. Since each extension E(^/¥q{A) is totally ramified over a place which does 
not ramify in any other E(^i /¥q{A), it follows that the compositum F.^ of the various 
fields E(^ is a degree-r'' extension of ¥q (A) such that is algebraically closed in 
F^. Moreover, Ft^ is a Galois extension oi ¥q{A) with Galois group {"Z/rZy. By 
Abhyankar's lemma, ^V/Fg(A) has ramification index r over A = oo and A g —fir, 
and this extension is unramified over all other places oi¥q{A). Now the Riemann- 
Hurwitz formula yields the genus of . □ 



Now we can restate Lemma 13.41 in terms of places of : 

Lemma 3.6. Let k,n,r be as in Lemma ] 3. 3[ For a G ¥q, the polynomial f{x) := 
x"{x'^ _j_ permutes ¥q if and only if there exists tt G Sym(/ir) such that F^ has 
a degree- one place with A ~ a and every ^ 0. Moreover, for any fixed a G Fg, 
there is at most one such permutation tt. 

Proof of Theorem \3.1\ Fix fc, n, r. As in the proof of Theorem l2.11 we may assume 
k \ [q — 1). Pick a permutation tt G Sym(/ir) and a map i/ : /Lt^ ^ F* such that 
v{C,)^ — C for every G fir- Let N^^ denote the number of degree-one places of F^-. 
Then Weil's bound gives 

\N. -{q + l)\< - 2r^ - r'-^ + 2)^. 

The ramified places in F.^/¥q{A) are precisely the places of F^r for which either 
A = CX3 or some G {0,oo}. The number of such places is at most Ir + l)r''~^. 
All other rational places of F^r occur in Gal(F^/Fq(^))-orbits of size r'', with each 
orbit corresponding to a unique place of ¥q (A) . Let T denote the number of values 
a G for which a;"(a;'^ -|- a) permutes Fg. By Lemma 13.61 we have 

1^+1- (r''+i - 2r'' - r'-^ + 2)^ - (r + l)r'-i 
^' r^ ~ 

,q + l + - 2r'- - r'-^ + 2)Jq 
< r! — . 

- j.r 

In particular, T > 1 whenever q > r^''+^ and q > 2. The former inequality is true 
whenever q>7 and r < (log (7)/ (2 log log (7), or equivalently q>7 and 

^ ^ 2(g- l)loglogg 
logg 
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For q E {4,5} we have 2q(loglog(j)/ logq > {q — l)/2, so it remains to show that 
there are permutation binomials x"{x'^~^ + a) (with a 7^ 0) for every n coprime to 
q — 1- By Lemma [3751 this binomial permutes ¥q whenever aGF*\{ — 1}. □ 

Remark 3.7. In this proof, we treated the various tt's independently. This is ineffi- 
cient, especially since distinct tt's give disjoint sets of a's. If one could combine the 
information from distinct tt's more effectively, it might be possible to remove the 
log log q factor from Theorem l3.1l We now take a first step in this direction (based 
on an idea in [5j), by effectively combining the information from r distinct tt's. To 
start with, consider any of the (r — 1)! permutations ttq S Sym(/j,r) with 7ro(l) = 1. 
Now the = 1' equation {1 + a)'' = 7r(l) can be used as the definition of 7r(l) 
(so long as a 7^ —1), and we seek solutions for each of the (r — 1)! permutations 
TT = (1 + a)'^ ■ ttq. Thus, for each such tt, we pick i' as before and consider the 
function field defined by Y^iy{TrQ{C)/C) = (C + ^)/(l + By the same method 
as above, we find that 

— (r - 3)^ - 2 < ^—j^^ < — + (r~3)V^. 

Here, as usual, one can obtain better bounds by applying the various improvements 
to the Weil bound due to Manin [M], Ihara [11], Drinfel'd-Vladut [7], Serre [221 ES], 
Oesterle [23^, Stohr-Voloch [26], etc. 

The following variant was noted implicitly in 5j and explicitly in [32] : if q is 
sufficiently large compared to r and q = 1 (mod r), then there exists a G ¥* such 
that, for every n,k > with gcd(n, g — 1) = 1 and gcd(fc, q — 1) = {q — l)/r, the 
polynomial a;"(x'^ + a) permutes ¥q. The novel feature here is that a single a works 
for every n and fc; one unfortunate aspect is that we need gcd(n, q— 1) — 1, whereas 
in Theorem 13.11 we required only that gcd(ri, (q — l)/r) — 1. The modified proof 
described in this remark gives a quantitative version of this result, so long as we 
restrict to ttq being the identity. Let T denote the number of values a G Fg such 
that, for every n,k > with gcd(ri, q — 1) — 1 and gcd(fc, q ~ I) — {q — l)/r, the 
polynomial x'^{x^ + a) permutes F^. Our proof in this remark (with ttq{x) — x) 
shows that 

f > (g - 2Vg + l)lr^-' ~ V^{r - 3) - 2. 

Remark 3.8. In case r = 2, the function field occurring in the proof of The- 
orem 13.11 has genus zero, and hence can be parametrized. This leads to explicit 
expressions for the allowable values of 'a' in this case [H [501131] • For larger values 
r, the field i^^ has larger genus, so one does not expect a simple exact formula for 
its number of rational places. And indeed, already for r = 3 the data suggests there 
is no simple formula for the number of a £ F^ such that x{x^'^~^'^^^ + a) permutes 
Fg, or more generally for the number of permutation binomials of degree less than 
q for which {q — l)/r is the gcd of g — 1 with the difference between the degrees 
of the terms. A priori it is conceivable that there might be a nice formula for the 
latter number but no nice formula for the former, since the latter corresponds to 
the sum of the numbers of rational places on the various fields Ft^', however, the 
data suggests there are no nice formulas when r > 2. 

Remark 3.9. Theorem 13. II is a refinement of a result of Carlitz and Wells [5]. Our 
version differs from the original one in various ways: it is effective, it gives an esti- 
mate on the number of permutation binomials of prescribed shapes, it applies when 
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gcd(n, fc, g — 1) = 1 rather than gcd(n, q — 1) = 1, and the proof is geometric (in 
contrast to the intricate manipulation of character sums in 5 ). Still, we empha- 
size that the key idea of using the Weil bound to prove existence of permutation 
binomials is due to Carlitz [4]. 



4. Heuristic 

In this section we give a heuristic suggesting that 'at random' there would not 
be any permutation binomials x™ + ax" over (with to > n > 0) such that 
gcd(TO — n,q — 1) < (7/(2 log g), at least for q sufficiently large. 

As in the proof of Theorem 12.11 it suffices to consider f{x) := x'^{x^ + a) where 
k\ (g — 1) and n is coprime to k. By Lemma 13.31 for fixed fc, we need only consider 
a single such value n in each class modulo {q—\)/k which contains integers coprime 
to k. Further, since composing f{x) on both sides with scalar multiples does not 
affect whether f{x) permutes Fg, we need only consider a's representing the distinct 
cosets of the k^^ powers in F* (for fixed k and n). Thus, for fixed fc, there are fewer 
than q polynomials to consider. Since gcd(n, fc) = 1, the values of / comprise all the 
fc**^ roots of the values of but the latter are just and the values of x"(x + a)'^ on 
(F*)*"'. Thus, / permutes ¥q if and only if g{x) :— x"{x + a)'' permutes (F*)*^. Note 
that (F*)*^ equals the group /i^ of r'^ roots of unity in F*, where r :— {q—l)/k. Here 
g maps /i^ into /if if and only if {—aY ^ I, which we assume in what follows. Now, 
the probability that a random mapping /i^ — s- /ir is bijective is rl/r"^ . Assuming 
that g behaves like a random map, the expected number of permutation binomials 
of the form x^{x^ + a) (for fixed q, after our various equivalences on n, k, a) is at 
most q{r\)/r^. Restricting to fc < q/{2logq) and summing over all g, we get an 
expected number 

^■-^ E 4 

q r|(g-l) 
r>2 log q 

We now show that E is finite. By reversing the order of summation, we find that 
E = EZiirUrnFir), where 

Fir) J2 1- 

q<e-'^ 
q=l (mod r) 
q prime power 

The number of prime powers less than x which are not prime is at most 



Llog2 x\ 



< + \/x\0g2 X. 



^ ~ . V - . V 62 ■ 

n—2 

Thus, for fixed r, the number of nonprime q which contribute to F{r) is at most 
e'"/'* + e''/^r/(2 log 2). By the Brun-Titchmarsh theorem Thm. 3.8], the number 
of prime q which contribute to F(r) is at most 

_ 3e'-/2 
^{^ 

Since 

4>{r) > 



e< loglogr+ i^j^is^ 



PERMUTATION BINOMIALS OVER FINITE FIELDS 



9 



for r > 3 (tSli Thm. 15]), for r > 3 we have 



F{r) ^ Henoglogr + 



1 r 



— logr) 

Using Stirling's inequality r! < {r /eY ^/^nre^^^^^ , 



gr/4 2e'-/3 log 2 ■ 



we get 




oc 



( 



3e'*' log log r + 



r(§ - logr) 



log log r 



9 



+ 



gr/4 26-^/3 log 2 



1 r 



) 



which is finite. By combining the above bounds on F(r) with explicit calculation 
of the first few values of F{r), we find that E < 40. 

Since E is finite (and small), we expect that 'at random' there would be few (or 
no) permutation binomials x^+aa;" over Fg with m > n > and gcd(rn— n, q—1) < 
9/(2 log q). 

We used a computer to verify that, for p < 10^, there are no permutation binomi- 
als + ax'^ over ¥p with m > n > and gcd{m — n,p~- 1) < p/(2 logp). Combined 
with the above heuristic, this leads us to conjecture that the same conclusion holds 
for all primes p. 

On the other hand, the heuristic applies to nonprime fields as well, and for those 
fields we know some infinite families of counterexamples. For instance, in [27], 
Tom Tucker and the second author showed that xP"*"^ + ax permutes Fp2 whenever 
#(a''"^) = 6. Several additional examples can be found in [27], and we will present 
further examples in a forthcoming paper. However, every known counterexample 
over a nonprime field has unusual properties related to the subfields of F^; thus, 
we view these examples as violating the randomness hypotheses of our heuristic, 
rather than the heuristic itself. 



In this appendix we prove the following result: 

Theorem 11.21 // + aa;" permutes the prime field ¥p, where m > n > and 
a e F* , then p— l<(m — !)• max(n, gcd(m — n,p — 1)). 

As noted in the introduction, this result follows from Theorem 11.31 in all cases 
except when n — I and (m— 1) | {p~ 1). However, the proof we present here is quite 
different from the proof of Theorem ll.3l so the method might well be useful in other 
investigations. Theorem 11.21 mav be viewed as the 'least common generalization' of 
a result of Wan and a result of Turnwald. Our proof uses ideas from both of their 
proofs. Wan's result [30l Thm. 1.3] is 

Theorem. If x"^ +ax permutes the prime field ¥p, where m > 1 and a € F*, then 
p — I < {m — 1) ■ gcd(m — l,p — 1). 

Turnwald's result 28, Thm. 2] is 

Theorem. // a;™ + ax" permutes ¥p, where m > n > and a G F*, then p < 
m ■ max(n, m — n). 

Proof of Theorem \l.S\ Suppose f{x) := a;™ + ax" permutes Fp, where m > n > 
and a e F*. If /(x) = f{x^), then the desired inequality for / would follow from 
the corresponding inequality for /; thus, we may assume gcd(m,n) = 1. Moreover, 
since / permutes Fp we have gcd(m — n,p — 1) > 1 (since otherwise / has more 
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than one root), so n < m — 2 and m > 3. Write p — mk + r with < r < m. Since 
gcd(n, m — n) = 1, there are integers u,v with nu — {m — n)v = r — 1; we may 
assume Q <u<m — n. Thus 

V = {nu — r + l)/(m — n) < n + l/(m — n) < n + 1, 

so u < n. Also t; > (n — m + l)/(m — n) > — 1, so > 0. 

If t; > fc, then (since k = |_p/mj) we have p < mv < mn, so the result holds. 
Henceforth we assume v < k. Moreover, since gcd(m — n,p — 1) > 2, the result is 
clear when m > p/2; thus, we assume m < p/2. Since 3 < m, this implies p > 7 
and m < p — 3. 

We will use Hermite's criterion with exponent k + u. Before doing so, we show 
that < k + u < p—1. The first inequality is clear, since u > and k = [p/m\ > 0. 
Now, 

k + u= — +u< \-u< \-m — n< \-m—l. 

LmJ mm m 

Since p > m + 3 (and m > 3), we have p > m^/{m — 1), so m < p{m — l)/m and 

thus p/m, + m < p. Hence k + u < p ^ 1. 

Since 0<fc + u<p— l,we have p f C^^") for < i < fc + u; hence the degrees of 

the terms of are precisely the numbers mt + n{k + u — t) with < t < k + u. 

Since 

p — 1 = mk + (r — 1) = mk + nu — {m — n)v = m{k — v) + n{u + v), 

there is a term of degree p—1. Since / is a permutation polynomial, Hermite's 

criterion implies there must be another term of degree divisible by 1 . Thus, there 
exists Aj^k — v with < A < k + u such that mA + n{k + u — A) = mod (p — 1). 
Since increasing t will increase the value of mt + n{k + u — t), and the value of this 
quantity for t = A is larger than the corresponding value for t = k — v, it follows 
that A> k — v. Subtracting, we get m(^— {k — v)) + n{k — A — v) = mod {p — 1), 
so p — 1 divides (m — n){A— {k — v)). In other words, {p — 1)/ gcd(p — 1, m — n) 
divides A — (k — v). Since A> k — v, this implies 

p- 1 

— < A - (k - v) < (k + u) - (k - v) = u + V. 

gcd(p- l,m-n) - ^ j- \ -r J \ J 

Since u < m — n and v <n,we have u+v < m; however, equality cannot hold, since 
it would imply that r—l = nu— {m — n)v = so r = 1, whence p— 1 = p — r = mk, 
which is a contradiction since m > 1 is the degree of a permutation polynomial. 
Thus u + 1; < m — 1, so p — 1 < (to — 1) • gcd(p — 1, to — n). □ 
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